The day the world stopped for Conficker and became a lot more secure for it

Opinion by Dan Raywood

When I sit down to write this blog on a weekly basis I occasionally struggle to recall a subject that has stolen the headlines.

When I sit down to write this blog on a weekly basis I occasionally struggle to recall a subject that has stolen the headlines.


This week is probably the first instance in my time at SC where one subject not only took over the headlines of the SC website and daily newswire, but filled the national headlines, blog subjects and water cooler conversations also.


In hindsight, there is a sense of shame in the belief that the world was going to end on 1st April because of the Conficker worm. After all this was April Fool's Day and apart from the Guardian's claim about its complete move to Twitter and Jeremiah Grossman's new certification programme ‘ASS', this was arguably the biggest prank of them all.


However was it a prank at all? Reports on the day itself had an air of anticipation about them, as experts and researchers awaited something happening, all the while knowing that nothing at all was going to happen.


Then in the preceding days towards the end of the week, news began to filter through that there had been incidents of infected computers ‘calling home'. Patrik Runald, chief security advisor at F-Secure, claimed that it did in fact work as intended and started generating a list of websites in an attempt to download updates to itself.


He claimed that the failing was by the authors, or controllers (who may be the same people for all we know) by not publishing an update on any of the websites that Conficker tried to contact, and as a result there was no major activity.


Runald said: “What really happened was that the Conficker Working Group was able to prevent them from registering any of the domains used by the worm. Never before have we seen such a global cooperation within the industry and we're proud to be a member of that group. Also, it would've been pretty stupid for the people behind Conficker to do something on the day everyone expected them to.”

His last sentence seemed to ring true, as looking back to only 48 hours from the time of writing, would the controllers have used the botnet to start sending spam? Or launch a huge attack, with the eyes of the world upon them and with every computer user having been encouraged to patch, update their anti-virus and check their security settings in the preceding days and weeks?


It does seem comparable to bank robbers sending a ‘we're going to rob you next Tuesday at 3pm' card, but the other factor to consider is were the authors just trying to gain their 15 minutes of fame?


I don't think there is any doubt that research was done and there was a firm belief that something larger was anticipated. A couple of weeks ago I met Jose Nazario, manager of security research at Arbor Networks, who claimed that he and his team had spent the previous ‘busy' three weeks researching the next likely actions of the worm.


At the time, he said: “Many businesses have checked their security to make sure that they will be covered, the 1st April may be a hoax but to the best of our understanding it is not a joke and it appears that something will happen.”


So even a week before 1st April, there was a hint that it could be a hoax, and I think that the overall consensus is that people were so prepared that even if there was a major outbreak and half the internet was now poisoned, we would know about it before, during and after the event.


In a blog that I wrote on the day, where I collected together various opinions on what was going to happen, most bloggers pointed to Joe Stewart's comments, who claimed that all that would happen is ‘already-infected systems will begin to use a new algorithm to locate potential update servers'.


The senior researcher at SecureWorks said: “My personal opinion is that the 1st April activation of the new algorithm may simply be a distraction, a kind of practical joke on the part of the worm author(s).


“Conficker may not be something to laugh about, but it's also not quite as serious as one might believe from reading about it in the press. If you've already taken steps to protect your network against Conficker and similar network worms, you'll have plenty of time on 1st April to read all the same old fake news stories/blog posts and prank your co-workers.”



It is known and understood that the controllers could press the ‘start' button at any moment, and it would not be a bad idea once the world has become more blasé about Conficker. The real bonus here is a lot of people have learnt about internet security, malware and the need for protection – and on a day when the G20 protests took the headlines, we came away with a few gold stars.



Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events